Chromium Code Reviews Chromium Code Reviews
Issue 2777383002:
Update SSL error handling code to account for Subject CN deprecation (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ssl/ssl_error_handler.h" | 5 #include "chrome/browser/ssl/ssl_error_handler.h" |
| 6 | 6 |
| 7 #include "base/callback.h" | 7 #include "base/callback.h" |
| 8 #include "base/macros.h" | 8 #include "base/macros.h" |
| 9 #include "base/memory/ptr_util.h" | 9 #include "base/memory/ptr_util.h" |
| 10 #include "base/metrics/field_trial.h" | 10 #include "base/metrics/field_trial.h" |
| (...skipping 183 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 194 // A class to test name mismatch errors. Creates an error handler with a name | 194 // A class to test name mismatch errors. Creates an error handler with a name |
| 195 // mismatch error. | 195 // mismatch error. |
| 196 class SSLErrorHandlerNameMismatchTest : public ChromeRenderViewHostTestHarness { | 196 class SSLErrorHandlerNameMismatchTest : public ChromeRenderViewHostTestHarness { |
| 197 public: | 197 public: |
| 198 SSLErrorHandlerNameMismatchTest() : field_trial_list_(nullptr) {} | 198 SSLErrorHandlerNameMismatchTest() : field_trial_list_(nullptr) {} |
| 199 | 199 |
| 200 void SetUp() override { | 200 void SetUp() override { |
| 201 ChromeRenderViewHostTestHarness::SetUp(); | 201 ChromeRenderViewHostTestHarness::SetUp(); |
| 202 SSLErrorHandler::ResetConfigForTesting(); | 202 SSLErrorHandler::ResetConfigForTesting(); |
| 203 SSLErrorHandler::SetInterstitialDelayForTesting(base::TimeDelta()); | 203 SSLErrorHandler::SetInterstitialDelayForTesting(base::TimeDelta()); |
| 204 ssl_info_.cert = | 204 ssl_info_.cert = GetCertificate(); |
| 205 net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem"); | |
| 206 ssl_info_.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID; | 205 ssl_info_.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID; |
| 207 ssl_info_.public_key_hashes.push_back( | 206 ssl_info_.public_key_hashes.push_back( |
| 208 net::HashValue(kCertPublicKeyHashValue)); | 207 net::HashValue(kCertPublicKeyHashValue)); |
| 209 | 208 |
| 210 delegate_ = | 209 delegate_ = |
| 211 new TestSSLErrorHandlerDelegate(profile(), web_contents(), ssl_info_); | 210 new TestSSLErrorHandlerDelegate(profile(), web_contents(), ssl_info_); |
| 212 error_handler_.reset(new TestSSLErrorHandler( | 211 error_handler_.reset(new TestSSLErrorHandler( |
| 213 std::unique_ptr<SSLErrorHandler::Delegate>(delegate_), web_contents(), | 212 std::unique_ptr<SSLErrorHandler::Delegate>(delegate_), web_contents(), |
| 214 profile(), net::MapCertStatusToNetError(ssl_info_.cert_status), | 213 profile(), net::MapCertStatusToNetError(ssl_info_.cert_status), |
| 215 ssl_info_, | 214 ssl_info_, |
| 216 GURL(), // request_url | 215 GURL(), // request_url |
| 217 base::Callback<void(content::CertificateRequestResultType)>())); | 216 base::Callback<void(content::CertificateRequestResultType)>())); |
| 218 } | 217 } |
| 219 | 218 |
| 219 // Returns a certificate for the test. Virtual to allow derived fixtures to | |
| 220 // use a certificate with different characteristics. | |
| 221 virtual scoped_refptr<net::X509Certificate> GetCertificate() { | |
|
estark
2017/04/04 17:22:07
nit: make protected
elawrence
2017/04/04 19:53:24
I made it private based on usage.
| |
| 222 return net::ImportCertFromFile(net::GetTestCertsDirectory(), | |
| 223 "subjectAltName_www_example_com.pem"); | |
| 224 } | |
| 225 | |
| 220 void TearDown() override { | 226 void TearDown() override { |
| 221 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); | 227 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); |
| 222 error_handler_.reset(nullptr); | 228 error_handler_.reset(nullptr); |
| 223 SSLErrorHandler::ResetConfigForTesting(); | 229 SSLErrorHandler::ResetConfigForTesting(); |
| 224 ChromeRenderViewHostTestHarness::TearDown(); | 230 ChromeRenderViewHostTestHarness::TearDown(); |
| 225 } | 231 } |
| 226 | 232 |
| 233 ~SSLErrorHandlerNameMismatchTest() override {} | |
|
estark
2017/04/04 17:22:07
nit: should go at line 199
elawrence
2017/04/04 19:53:24
Done.
| |
| 234 | |
| 227 TestSSLErrorHandler* error_handler() { return error_handler_.get(); } | 235 TestSSLErrorHandler* error_handler() { return error_handler_.get(); } |
| 228 TestSSLErrorHandlerDelegate* delegate() { return delegate_; } | 236 TestSSLErrorHandlerDelegate* delegate() { return delegate_; } |
| 229 | 237 |
| 230 const net::SSLInfo& ssl_info() { return ssl_info_; } | 238 const net::SSLInfo& ssl_info() { return ssl_info_; } |
| 231 | 239 |
| 232 private: | 240 private: |
| 233 net::SSLInfo ssl_info_; | 241 net::SSLInfo ssl_info_; |
| 234 std::unique_ptr<TestSSLErrorHandler> error_handler_; | 242 std::unique_ptr<TestSSLErrorHandler> error_handler_; |
| 235 TestSSLErrorHandlerDelegate* delegate_; | 243 TestSSLErrorHandlerDelegate* delegate_; |
| 236 base::FieldTrialList field_trial_list_; | 244 base::FieldTrialList field_trial_list_; |
| 237 | 245 |
| 238 DISALLOW_COPY_AND_ASSIGN(SSLErrorHandlerNameMismatchTest); | 246 DISALLOW_COPY_AND_ASSIGN(SSLErrorHandlerNameMismatchTest); |
| 239 }; | 247 }; |
| 240 | 248 |
| 249 // A class to test name mismatch errors, where the certificate lacks a | |
| 250 // SubjectAltName. Creates an error handler with a name mismatch error. | |
| 251 class SSLErrorHandlerNameMismatchNoSANTest | |
| 252 : public SSLErrorHandlerNameMismatchTest { | |
| 253 public: | |
| 254 SSLErrorHandlerNameMismatchNoSANTest() {} | |
| 255 | |
| 256 // Return a certificate that contains no SubjectAltName field. | |
| 257 scoped_refptr<net::X509Certificate> GetCertificate() override { | |
| 258 return net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem"); | |
| 259 } | |
| 260 | |
| 261 DISALLOW_COPY_AND_ASSIGN(SSLErrorHandlerNameMismatchNoSANTest); | |
| 262 }; | |
| 263 | |
| 241 // A class to test the captive portal certificate list feature. Creates an error | 264 // A class to test the captive portal certificate list feature. Creates an error |
| 242 // handler with a name mismatch error by default. The error handler can be | 265 // handler with a name mismatch error by default. The error handler can be |
| 243 // recreated by calling ResetErrorHandler() with an appropriate cert status. | 266 // recreated by calling ResetErrorHandler() with an appropriate cert status. |
| 244 class SSLErrorHandlerCaptivePortalCertListTest | 267 class SSLErrorHandlerCaptivePortalCertListTest |
| 245 : public ChromeRenderViewHostTestHarness { | 268 : public ChromeRenderViewHostTestHarness { |
| 246 public: | 269 public: |
| 247 SSLErrorHandlerCaptivePortalCertListTest() : field_trial_list_(nullptr) {} | 270 SSLErrorHandlerCaptivePortalCertListTest() : field_trial_list_(nullptr) {} |
| 248 | 271 |
| 249 void SetUp() override { | 272 void SetUp() override { |
| 250 ChromeRenderViewHostTestHarness::SetUp(); | 273 ChromeRenderViewHostTestHarness::SetUp(); |
| (...skipping 317 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 568 | 591 |
| 569 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); | 592 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); |
| 570 EXPECT_TRUE(delegate()->ssl_interstitial_shown()); | 593 EXPECT_TRUE(delegate()->ssl_interstitial_shown()); |
| 571 | 594 |
| 572 // Note that the suggested URL check is never completed, so there is no entry | 595 // Note that the suggested URL check is never completed, so there is no entry |
| 573 // for WWW_MISMATCH_URL_AVAILABLE or WWW_MISMATCH_URL_NOT_AVAILABLE. | 596 // for WWW_MISMATCH_URL_AVAILABLE or WWW_MISMATCH_URL_NOT_AVAILABLE. |
| 574 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3); | 597 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3); |
| 575 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 598 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 576 SSLErrorHandler::HANDLE_ALL, 1); | 599 SSLErrorHandler::HANDLE_ALL, 1); |
| 577 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 600 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 578 SSLErrorHandler::WWW_MISMATCH_FOUND, 1); | 601 SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1); |
| 579 histograms.ExpectBucketCount( | 602 histograms.ExpectBucketCount( |
| 580 SSLErrorHandler::GetHistogramNameForTesting(), | 603 SSLErrorHandler::GetHistogramNameForTesting(), |
| 581 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); | 604 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); |
| 582 } | 605 } |
| 583 | 606 |
| 584 TEST_F(SSLErrorHandlerNameMismatchTest, | 607 TEST_F(SSLErrorHandlerNameMismatchTest, |
| 585 ShouldNotHandleNameMismatchOnNonOverridableError) { | 608 ShouldNotHandleNameMismatchOnNonOverridableError) { |
| 586 base::HistogramTester histograms; | 609 base::HistogramTester histograms; |
| 587 delegate()->set_non_overridable_error(); | 610 delegate()->set_non_overridable_error(); |
| 588 delegate()->set_suggested_url_exists(); | 611 delegate()->set_suggested_url_exists(); |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 642 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); | 665 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); |
| 643 EXPECT_TRUE(delegate()->ssl_interstitial_shown()); | 666 EXPECT_TRUE(delegate()->ssl_interstitial_shown()); |
| 644 EXPECT_FALSE(delegate()->redirected_to_suggested_url()); | 667 EXPECT_FALSE(delegate()->redirected_to_suggested_url()); |
| 645 | 668 |
| 646 // Note that the suggested URL check is never completed, so there is no entry | 669 // Note that the suggested URL check is never completed, so there is no entry |
| 647 // for WWW_MISMATCH_URL_AVAILABLE or WWW_MISMATCH_URL_NOT_AVAILABLE. | 670 // for WWW_MISMATCH_URL_AVAILABLE or WWW_MISMATCH_URL_NOT_AVAILABLE. |
| 648 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3); | 671 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3); |
| 649 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 672 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 650 SSLErrorHandler::HANDLE_ALL, 1); | 673 SSLErrorHandler::HANDLE_ALL, 1); |
| 651 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 674 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 652 SSLErrorHandler::WWW_MISMATCH_FOUND, 1); | 675 SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1); |
| 653 histograms.ExpectBucketCount( | 676 histograms.ExpectBucketCount( |
| 654 SSLErrorHandler::GetHistogramNameForTesting(), | 677 SSLErrorHandler::GetHistogramNameForTesting(), |
| 655 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); | 678 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); |
| 656 } | 679 } |
| 657 | 680 |
| 658 TEST_F(SSLErrorHandlerNameMismatchTest, | 681 TEST_F(SSLErrorHandlerNameMismatchTest, |
| 659 ShouldRedirectOnSuggestedUrlCheckResult) { | 682 ShouldRedirectOnSuggestedUrlCheckResult) { |
| 660 base::HistogramTester histograms; | 683 base::HistogramTester histograms; |
| 661 delegate()->set_suggested_url_exists(); | 684 delegate()->set_suggested_url_exists(); |
| 662 error_handler()->StartHandlingError(); | 685 error_handler()->StartHandlingError(); |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 674 GURL("https://random.example.com")); | 697 GURL("https://random.example.com")); |
| 675 | 698 |
| 676 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); | 699 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); |
| 677 EXPECT_FALSE(delegate()->ssl_interstitial_shown()); | 700 EXPECT_FALSE(delegate()->ssl_interstitial_shown()); |
| 678 EXPECT_TRUE(delegate()->redirected_to_suggested_url()); | 701 EXPECT_TRUE(delegate()->redirected_to_suggested_url()); |
| 679 | 702 |
| 680 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3); | 703 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3); |
| 681 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 704 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 682 SSLErrorHandler::HANDLE_ALL, 1); | 705 SSLErrorHandler::HANDLE_ALL, 1); |
| 683 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 706 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 684 SSLErrorHandler::WWW_MISMATCH_FOUND, 1); | 707 SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1); |
| 685 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 708 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 686 SSLErrorHandler::WWW_MISMATCH_URL_AVAILABLE, 1); | 709 SSLErrorHandler::WWW_MISMATCH_URL_AVAILABLE, 1); |
| 687 } | 710 } |
| 688 | 711 |
| 712 // No suggestions should be requested if certificate lacks a SubjectAltName. | |
| 713 TEST_F(SSLErrorHandlerNameMismatchNoSANTest, | |
| 714 SSLCommonNameMismatchHandlingRequiresSubjectAltName) { | |
| 715 base::HistogramTester histograms; | |
| 716 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); | |
| 717 delegate()->set_suggested_url_exists(); | |
| 718 error_handler()->StartHandlingError(); | |
| 719 | |
| 720 EXPECT_FALSE(delegate()->suggested_url_checked()); | |
| 721 base::RunLoop().RunUntilIdle(); | |
| 722 | |
| 723 EXPECT_TRUE(delegate()->ssl_interstitial_shown()); | |
| 724 EXPECT_FALSE(delegate()->redirected_to_suggested_url()); | |
| 725 | |
| 726 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2); | |
| 727 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | |
| 728 SSLErrorHandler::HANDLE_ALL, 1); | |
| 729 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | |
| 730 SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 0); | |
| 731 histograms.ExpectBucketCount( | |
| 732 SSLErrorHandler::GetHistogramNameForTesting(), | |
| 733 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); | |
| 734 } | |
| 735 | |
| 689 TEST_F(SSLErrorHandlerNameMismatchTest, | 736 TEST_F(SSLErrorHandlerNameMismatchTest, |
| 690 ShouldShowSSLInterstitialOnInvalidUrlCheckResult) { | 737 ShouldShowSSLInterstitialOnInvalidUrlCheckResult) { |
| 691 base::HistogramTester histograms; | 738 base::HistogramTester histograms; |
| 692 delegate()->set_suggested_url_exists(); | 739 delegate()->set_suggested_url_exists(); |
| 693 error_handler()->StartHandlingError(); | 740 error_handler()->StartHandlingError(); |
| 694 | 741 |
| 695 EXPECT_TRUE(error_handler()->IsTimerRunningForTesting()); | 742 EXPECT_TRUE(error_handler()->IsTimerRunningForTesting()); |
| 696 EXPECT_TRUE(delegate()->suggested_url_checked()); | 743 EXPECT_TRUE(delegate()->suggested_url_checked()); |
| 697 EXPECT_FALSE(delegate()->ssl_interstitial_shown()); | 744 EXPECT_FALSE(delegate()->ssl_interstitial_shown()); |
| 698 EXPECT_FALSE(delegate()->redirected_to_suggested_url()); | 745 EXPECT_FALSE(delegate()->redirected_to_suggested_url()); |
| 699 // Fake an Invalid Suggested URL Check result. | 746 // Fake an Invalid Suggested URL Check result. |
| 700 delegate()->SendSuggestedUrlCheckResult( | 747 delegate()->SendSuggestedUrlCheckResult( |
| 701 CommonNameMismatchHandler::SuggestedUrlCheckResult:: | 748 CommonNameMismatchHandler::SuggestedUrlCheckResult:: |
| 702 SUGGESTED_URL_NOT_AVAILABLE, | 749 SUGGESTED_URL_NOT_AVAILABLE, |
| 703 GURL()); | 750 GURL()); |
| 704 | 751 |
| 705 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); | 752 EXPECT_FALSE(error_handler()->IsTimerRunningForTesting()); |
| 706 EXPECT_TRUE(delegate()->ssl_interstitial_shown()); | 753 EXPECT_TRUE(delegate()->ssl_interstitial_shown()); |
| 707 EXPECT_FALSE(delegate()->redirected_to_suggested_url()); | 754 EXPECT_FALSE(delegate()->redirected_to_suggested_url()); |
| 708 | 755 |
| 709 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 4); | 756 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 4); |
| 710 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 757 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 711 SSLErrorHandler::HANDLE_ALL, 1); | 758 SSLErrorHandler::HANDLE_ALL, 1); |
| 712 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 759 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 713 SSLErrorHandler::WWW_MISMATCH_FOUND, 1); | 760 SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1); |
| 714 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 761 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 715 SSLErrorHandler::WWW_MISMATCH_URL_NOT_AVAILABLE, | 762 SSLErrorHandler::WWW_MISMATCH_URL_NOT_AVAILABLE, |
| 716 1); | 763 1); |
| 717 histograms.ExpectBucketCount( | 764 histograms.ExpectBucketCount( |
| 718 SSLErrorHandler::GetHistogramNameForTesting(), | 765 SSLErrorHandler::GetHistogramNameForTesting(), |
| 719 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); | 766 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); |
| 720 } | 767 } |
| 721 | 768 |
| 722 TEST_F(SSLErrorHandlerDateInvalidTest, TimeQueryStarted) { | 769 TEST_F(SSLErrorHandlerDateInvalidTest, TimeQueryStarted) { |
| 723 base::HistogramTester histograms; | 770 base::HistogramTester histograms; |
| (...skipping 230 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 954 | 1001 |
| 955 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2); | 1002 histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2); |
| 956 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), | 1003 histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(), |
| 957 SSLErrorHandler::HANDLE_ALL, 1); | 1004 SSLErrorHandler::HANDLE_ALL, 1); |
| 958 histograms.ExpectBucketCount( | 1005 histograms.ExpectBucketCount( |
| 959 SSLErrorHandler::GetHistogramNameForTesting(), | 1006 SSLErrorHandler::GetHistogramNameForTesting(), |
| 960 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); | 1007 SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1); |
| 961 } | 1008 } |
| 962 | 1009 |
| 963 #endif // BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION) | 1010 #endif // BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION) |
| OLD | NEW |
